<a href="https://gdpr.eu/article-32-security-of-processing/">Article 32</a> requires that data controllers and data processors secure consumer data using the “appropriate technical and organizational measures.”

Recommended <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/">security practices </a> include:

<ul>
<li>Encrypting and anonymising personal data</li>
<li>Keeping processing systems and services confidential and available</li>
<li>Taking steps to maintain system resiliency and integrity</li>
<li>If an incident occurs, ensuring personal data access can be restored as soon as possible</li>
<li>Implementing a process for security evaluation</li>
</ul>

In short, businesses under the GDPR are expected to ensure security for any personal data they process and Article 32 outlines specific guidelines for what&#39;s required.

Article 32

Established by the <a href="https://transcend.io/laws/cpra/">CPRA</a>, the <a href="https://cppa.ca.gov/">California Privacy Protection Agency (CPPA)</a> is a new privacy regulator tasked with creating and enforcing California’s growing canon of privacy laws.

The CPPA is currently headed by Ashkan Soltani and will be responsible for: 

<ul>
<li>Auditing compliance with existing privacy legislation</li>
<li>Evaluating potential violations</li>
<li>Levying fines for non-compliance</li>
<li>Creating and implementing new laws</li>
</ul>

As of May 2022, the CPPA was finalizing certain CPRA requirements concerning automated decision-making, cybersecurity audits and risk assessments, and specific guidelines on certain consumer rights. Having already requested feedback on these topics, the CPPA is set to be done by the end of 2022. 

Learn more about Mr. Soltani and how he’s approached building the CPPA with this <a href="https://www.nytimes.com/2022/03/15/technology/california-privacy-agency-ccpa-gdpr.html">profile</a> from the New York Times.

California Privacy Protection Agency

Passed in 2018, the <a href="https://oag.ca.gov/privacy/ccpa">California Consumer Privacy Act (CCPA)</a> was the first <a href="https://transcend.io/blog/privacy-law/">privacy law</a> of its kind in the US. It established landmark data rights for California (CA) residents and created new requirements for any business that sells to and/or processes personal data from California consumers.

<h3>Consumer rights provided by the CCPA</h3>

Right to be informed - California consumers have the right to know:
* What data and categories of data a business is collecting on them
* How that data is being collected
* How it’s being used both by the business and any third parties

Right of access - Consumers have the right to request access to the personal data a business has collected about them. 

Right to rectification - If a consumer believes their CCPA rights have been violated, they have the right to bring their complaints to the Attorney General.

Right to erasure and right to be forgotten - Businesses must delete a consumer&#39;s data upon request, as long as the consumer&#39;s identity can be verified. In addition, the business must direct any vendors and other service providers to do the same.

Right to restrict process - Consumers have the right to tell a business “<a href="https://transcend.io/solution/targeted-advertising-privacy/">Do not sell my personal information</a>.” Not only that, but the business must provide an easily accessible page on their website that enables the consumer to make this request. 

Right to data portability - After receiving a data request, businesses must provide the consumer’s information in an easily transmittable format.

Right to object - California consumers have the right to object to the use and sale of their data at any time.

<h3>Who does the CCPA apply to?</h3>

The CCPA applies to businesses that: 

<ul>
<li>Process data for 50,000 or more CA residents OR</li>
<li>Have a gross revenue over $25 million OR</li>
<li>Derive 50% or more of annual revenue from selling or sharing CA residents&#39; personal data</li>
</ul>

The CCPA also covers subsidiaries, meaning California based companies can’t exempt themselves by storing consumer data in an offshore subsidiary or storage site.

It also applies to California residents browsing an out-of-state website. So, if people from California visit your website, your company must respect the rights outlined by the CCPA for those visitors—even if your organization is based outside of CA. 

In 2020, the CCPA was amended by the <a href="https://transcend.io/laws/cpra/">California Privacy Rights Act (CPRA)</a>. The <a href="https://transcend.io/glossary/california-privacy-rights-act-cpra/">CPRA</a> changed the CCPA in a variety of ways, but one of the most significant was an increase in the data processing threshold—from 50,000 to 100,000. 

Read more about the <a href="https://transcend.io/blog/cpra-vs-ccpa/">differences between the CCPA and CPRA</a>.

California Consumer Privacy Act

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Data that can be used to distinguish one person from another or can be used for de-anonymizing anonymous data is also considered PII.

A person&#39;s name combined with other specific data (such as a Social Security number, driver&#39;s license number, account name, telephone number, or email address) is always considered PII. Other forms of PII may include:

<ul>
<li>Bank account number</li>
<li>Credit card number</li>
<li>Date of birth</li>
<li>Fingerprints</li>
<li>Health records (including medical history, mental health records, insurance claims, and test results)</li>
</ul>

Increasingly, the combination of two or more pieces of non-PII information may also be considered PII. For example, a username together with a password could be classified as PII.

Personally Identifiable Information

Passed on July 8, 2021, the <a href="https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf">Colorado Privacy Act (CPA)</a> was the third <a href="https://transcend.io/blog/infographic-us-state-privacy-law-tracker/">state privacy law</a> in the US. 

With enforcement beginning on July 1, 2023, the <a href="https://transcend.io/blog/colorado-privacy-act-cpa/">CPA</a> places new obligations on businesses that process consumer data in Colorado (CO) while extending new data rights to Colorado residents.

To be <a href="https://www.gibsondunn.com/the-colorado-privacy-act-enactment-of-comprehensive-u-s-state-consumer-privacy-laws-continues/">subject to the CPA</a>, a business must: 

<ul>
<li>Conduct business in Colorado or target goods/services to Colorado residents OR</li>
<li>Control or process personal data for 100,000+ consumers a year OR</li>
<li>Control personal data for at least 25,000 consumers AND derive revenue or receive a discount from selling personal data</li>
</ul>

Under the CPA, Colorado residents have the following rights. 

Right to access - A consumer may request access and confirm permission for any personal data processed by the controller.

Right to correction - A consumer has the right to correct any inaccuracy in the personal data held by a controller.

Right to delete - Consumers can request deletion of their personal data.

Right to data portability - Consumers have the right to access and transfer their personal data—the data must be in a format that&#39;s easy to use and transmit. Consumers can exercise their right to data portability twice a year.

Right to opt out - Consumers have the right to opt-out of personal data processing in relation to:
* targeted advertising;
* the sale of personal data; or
* profiling that affects legal decision making

A data controller must honor these rights, unless there is a reasonable justification not to do so. If a data controller refuses to comply with a consumer&#39;s request, they must provide a reason and the consumer may appeal the decision. 

Read our full guide to the <a href="https://transcend.io/blog/colorado-privacy-act-cpa/">Colorado Privacy Act</a> or check out our infographic <a href="https://transcend.io/blog/infographic-us-state-privacy-law-tracker/">comparing US tate privacy laws</a>.

Colorado Privacy Act

The <a href="https://gdpr.eu/">General Data Protection Regulation (GDPR)</a> is a landmark data privacy law that passed in 2016 and went into force in May 2018. It applies to any country that&#39;s based in the EU or markets goods/services to EU citizens. 

Creating the framework for modern privacy regulation, the GDPR is one of the strictest privacy laws to date.

The <a href="https://transcend.io/gdpr-requirements-overview/">GDPR</a> originated with the European Data Protection Directive (EDPD), which created a security and data privacy baseline for businesses operating in the EU. As each EU member state was allowed to create their own requirements based on EDPD guidelines, Europe’s data protection authority eventually decided the EU needed a stronger, more centralized privacy law.

Complying with the GDPR is now table stakes for operating a business in the EU, so it’s important organizations understand what’s required. 

Learn more about GDPR requirements with Transcend’s <a href="https://transcend.io/gdpr-requirements-overview/">Complete Guide to the GDPR</a>.

Additional resources
* <a href="https://gdpr.eu/">GDPR.eu</a>
* <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/">Guide to the UK General Data Protection Regulation</a>
* <a href="https://transcend.io/blog/gdpr-data-mapping/">The Complete Guide to GDPR Data Mapping</a>

General Data Protection Regulation

The <a href="https://transcend.io/blog/utah-consumer-privacy-act/">Utah Consumer Privacy Act (UCPA)</a> placed new obligations on businesses processing consumer data in Utah, while giving Utah citizens new data rights. Passed on March 25, 2022, the UCPA will go into force on December 31, 2023. 

To fall under the UCPA, an organization must: 

<ul>
<li>Have an annual revenue of $25 million or more</li>
<li>Conduct business in Utah or market to Utah residents</li>
</ul>

The organization must also:

<ul>
<li>Process or control the data of at least 100,000 Utah residents OR</li>
<li>Derive 50% or more gross revenue from selling personal data and control data for 25,000 or more consumers</li>
</ul>

Under the UCPA, Utah residents are granted certain data rights. 

Right to access - Utah residents can request access to any personal data possessed by an organization.

Right to delete - Residents have the right to request that an organization delete their personal data. It should be noted though that, unlike other <a href="https://transcend.io/blog/infographic-us-state-privacy-law-tracker/">state privacy laws</a>, a consumer may only request deletion for data they provided. 

Right to data portability - Utah consumers may request a copy of their data in a readable, transmittable format.

Right to opt-out - Utah consumers have the right to opt out of targeted advertising, sale of personal data, and processing of sensitive data. However, they can’t opt-out of profiling based on automated decision making.

Learn more with our <a href="https://transcend.io/blog/utah-consumer-privacy-act/">complete guide to the Utah Consumer Privacy Act</a>.

Utah Consumer Privacy Act 

A requirement of the <a href="https://transcend.io/glossary/california-consumer-privacy-act/">California Consumer Privacy Act (CCPA)</a>, a &quot;verifiable consumer request&quot; is a request for data access, correction, or deletion—one in which the consumer’s identity has been verified using reasonable means.

The VCR stipulation applies whether the request is made directly by the consumer, on behalf of the consumer&#39;s underage child, or by an <a href="https://transcend.io/blog/authorized-agent-privacy-requests/">authorized agent</a> on behalf of the consumer.

Essentially, the CCPA requires that businesses verify the identity of any indivudal for whom a data request has been submitted.

If a consumer&#39;s identity isn’t verified before fulfilling a request for access, deletion, or correction, it’s possible a company could end up fulfilling a fraudulent request. 

Personal data security is an important part of the CCPA—and the CCPA’s language about verifiable consumer requests is meant to reflect this fact.

Verifiable Consumer Request 

Facebook&#39;s <a href="https://www.facebook.com/business/help/1151133471911882">Limited Data Use (LDU)</a> feature limits the use of data from California (CA) residents, helping businesses remain CCPA compliant.

Under the <a href="https://transcend.io/glossary/california-consumer-privacy-act/">CCPA</a>, California residents have the right to opt out of data sale. Businesses who fail to respect this right can face legal action, so many choose to turn on LDU to strengthen their compliance stance. 

As LDU can significantly impact tracking and performance for California-based marketing campaigns, there are two ways a business can approach this feature. 

<ol>
<li>Allowing users to opt-out through a consent management platform, and then set up LDU to only impact data from users who’ve opted out.</li>
<li>Set up LDU to limit data from all California residents, regardless of their opt-out status.</li>
</ol>

According to <a href="https://www.facebook.com/business/help/1151133471911882">Meta’s release on LDU</a>, businesses have the option to set specific parameters on how the feature works, however: 

<blockquote>
If a business does not set the parameters to US and California, we will determine if a person is in California or not based on certain available signals which may include IP address or advertising ID, when those are available.
</blockquote>

This means that if you have a specific outcome in mind, setting up your LDU parameters is important. 

After LDU’s release, there was a transition period in which LDU was enabled across all Facebook business accounts. However after that point, beginning July 31, 2020, businesses became responsible for implementing LDU on their account as necessary. 

Learn more about <a href="https://www.facebook.com/business/help/1151133471911882">Facebook LDU</a>.

Facebook Limited Data Use

<a href="https://globalprivacycontrol.org/">Global Privacy Control (GPC)</a> is a browser extension that makes it easy for consumers to set privacy preferences for their personal data as they browse the web.

When the setting is enabled, Global Privacy Control sends a signal to publishers and platforms to let them know they should limit data collection and that you do not consent to the sale or sharing of your data.

In the context of modern privacy law, the <a href="https://transcend.io/glossary/california-consumer-privacy-act/">California Consumer Privacy Act (CCPA)</a> and <a href="https://transcend.io/glossary/california-privacy-rights-act-cpra/">California Privacy Rights Act (CPRA)</a> reference an &quot;opt-out preference signal,&quot; and Global Privacy Control is one practical <a href="https://globalprivacycontrol.github.io/gpc-spec/">application</a> of that concept.

<h2>Is Global Privacy Control enforced?</h2>

As of August 2022, yes. 

When Global Privacy Control was released, it wasn&#39;t totally clear if this signal would be enforced by privacy regulators. The <a href="https://allaboutdnt.com/">Do Not Track</a> (DNT) plugin had failed to gain traction and despite indications of support from the California Attorney General, there were no GPC enforcement actions for several years.

However, on August 24, 2022, California Attorney General Rob Bonta <a href="https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement">announced a $1.2M settlement</a> with cosmetics retailer Sephora, citing that the company had:

<ul>
<li>Failed to tell consumers it was selling their personal data</li>
<li>Failed to honor user opt-out requests made via Global Privacy Control</li>
<li>Failed to address these violations within the 30 day cure period</li>
</ul>

The first CCPA enforcement action to date, this settlement was a clear indicator that California regulators intend to support the Global Privacy Control signal. 

<h2>Global Privacy Control background</h2>

Despite Global Privacy Control&#39;s recent heydey in the news, it&#39;s not actually a new idea. <a href="https://transcend.io/glossary/california-consumer-privacy-act/">CCPA</a> has always required that businesses respect browser-based privacy signals, though it didn&#39;t call out GPC by name. 

However, in August of 2020, California Attorney General Xavier Bacerra released new regulation stating: 

<blockquote>
If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request... (<a href="https://casetext.com/regulation/california-code-of-regulations/title-11-law/division-1-attorney-general/chapter-20-california-consumer-privacy-act-regulations-renumbered/article-3-business-practices-for-handling-consumer-requests-renumbered/section-999315-requests-to-opt-out-renumbered">Cal. Code Regs. tit. 11 § 999.315</a>)
</blockquote>

He also <a href="https://twitter.com/AGBecerra/status/1354850321692934144">tweeted</a> his support for Global Privacy Control, referring to the signal as a &quot;stop selling my data switch.&quot;

As California regulators continue to ramp up enforcement, it&#39;s critical your company implements the right technical mechanisms to ensure Global Privacy Control is being honored across your digital presence.

<h2>Global Privacy Control compliance</h2>

Honoring Global Privacy Control is an important part of comprehensive compliance with California&#39;s &quot;Do Not Sell or Share My Data&quot; mandates. 

We&#39;ve outlined the basic steps for complying with those opt-out requirements below, but for more details make sure to check out our full <a href="https://docs.transcend.io/docs/privacy-requirements/data-rights-laws/california-do-not-sell-or-share">&quot;Do Not Sell or Share&quot; implementation guide</a>. 

<ol>
<li>Catalog all data sharing processes and targeted advertising technologies.</li>
<li>Build an opt-out plan based on your business’ specific data practices and desired user experience.</li>
<li>Update your website and implement a consent manager like <a href="https://transcend.io/consent/">Transcend Consent</a> to receive opt outs and detect opt-out signals like Global Privacy Control.</li>
<li>Honor opt outs and monitor for any changes in your data practices or technologies that may impact compliance.</li>
</ol>

<h3>Additional resources</h3>

<ul>
<li><a href="https://globalprivacycontrol.org/">Global Privacy Control — Take Control Of Your Privacy</a></li>
<li><a href="https://www.youtube.com/watch?v=l9JQ6KY96Mg&ab_channel=Transcend">[Video] What Sephora&#39;s $1.2M Settlement Means for CCPA/CPRA Enforcement</a></li>
<li><a href="https://transcend.io/blog/ccpa-gpc-update/">CCPA Update: Businesses must immediately support the Global Privacy Control signal</a></li>
<li><a href="https://docs.transcend.io/docs/consent/global-privacy-control">Global Privacy Control compliance with Transcend</a></li>
</ul>

Global Privacy Control

Passed in 2020, the <a href="https://transcend.io/laws/cpra/">California Privacy Rights Act (CPRA)</a> amended California’s first major privacy law, the <a href="https://transcend.io/glossary/california-consumer-privacy-act/">California Consumer Privacy Act (CCPA)</a>. In broad strokes, the CPRA expanded consumer rights, added more regulation around commercial data processing, and refined the CCPA’s overall scope. 

There are several notable <a href="https://transcend.io/blog/cpra-vs-ccpa/">differences between CCPA and CRPA</a>, but one of the most significant is the increased data processing threshold. 

<h3>Increased data processing thresholds</h3>

Doubling the CCPA’s data processing threshold, the CPRA applies to businesses processing data for 100,000 or more consumers. The result is that many small or mid-sized businesses could end up exempt; however, there are other threshold criteria to consider. 

A business may fall under the CPRA’s scope because it: 

<ul>
<li>Has a gross annual revenue over $25 million OR</li>
<li>Is processing data for over 100,000 California residents OR</li>
<li>Receives 50% or more of it’s annual revenue from sharing or selling data from California residents</li>
</ul>

Unlike many other <a href="https://transcend.io/blog/infographic-us-state-privacy-law-tracker/">state privacy laws</a>, the CPRA applies when only one of these criteria are met. 

Learn more about the CPRA 

<ul>
<li><a href="https://transcend.io/ccpa-compliance/">The Complete Guide to CPRA Compliance</a></li>
<li><a href="https://transcend.io/blog/cpra-vs-ccpa/">CCPA vs CPRA: California’s privacy laws explained</a></li>
<li><a href="https://transcend.io/laws/cpra/">Full text: California Privacy Rights Act</a></li>
<li><a href="https://transcend.io/blog/cpra-service-provider-contract-requirements/">Understanding CPRA service provider contract requirements</a></li>
<li><a href="https://transcend.io/blog/cpra-notice-at-collection/">Providing a compliant CPRA notice at collection</a></li>
</ul>

California Privacy Rights Act

Records of processing activities (ROPA) document all data processing and categories of data processing an organization engages in—they&#39;re also a requirement of <a href="https://transcend.io/blog/data-mapping-ropa/">GDPR Article 30</a>. 

<a href="https://gdpr.eu/article-30-records-of-processing-activities/">Article 30</a> outlines certain ROPA guidelines: 

<ul>
<li>Data controllers are responsible for creating and maintaining ROPA, which must include: 

<ul>
<li>Name and contact information for the data controller</li>
<li>Purpose of data processing</li>
<li>Categories of personal data and data subjects being processed</li>
<li>Categories of data recipients (if the data has been shared)</li>
<li>Whether or not the data has or will be transferred to an “international organization” or “third country”</li>
<li>Timeframe for data deletion</li>
<li>Information on data security</li>
</ul></li>
<li>Data processors must maintain ROPA for any processing “carried out on behalf of a controller.”</li>
<li>ROPA must be made available in writing and in a digital format</li>
<li>ROPA must be provided upon request</li>
</ul>

<a href="https://transcend.io/blog/data-mapping-ropa/">ROPA creation</a> is required for any business that employs 250 or more people, whose data processing is “not occasional,” or whose processing may threaten a data subject&#39;s rights or freedoms.

Read Transcend&#39;s <a href="https://transcend.io/blog/data-mapping-ropa/">guide to GDPR Article 30</a>.

Record of Processing Activities

The<a href="https://www.gibsondunn.com/virginia-passes-comprehensive-privacy-law/"> Virginia Consumer Data Protection Act (VCDPA)</a> became law on March 2, 2021 and will go into force on January 1, 2023. 

Part of a larger trend towards <a href="https://transcend.io/blog/infographic-us-state-privacy-law-tracker/">state privacy laws in the US</a>, the VCDPA created new requirements for organizations that process data for consumers in Virginia. It also established certain data rights for Virginia residents. 

The <a href="https://transcend.io/blog/cdpa-consumer-data-protection-act/">VCDPA</a> applies to: 

<ul>
<li>Businesses based in Virginia AND</li>
<li>Businesses that market goods or services to Virginia residents</li>
</ul>

Any organization that meets these criteria must also: 

<ul>
<li>Control or process personal data for 100,000 or more Virginia residents per year OR</li>
<li>Process data for 25,000 or more Virginia residents while also earning at least 50% of gross revenue from selling personal data</li>
</ul>

The VCDPA gave Virginia residents the following rights in regards to their personal data.

Right to access - Virginia residents may request access to any personal data a company holds on them. 

Right to correct - If they discover an error, consumers may request a correction of their personal data.

Right to delete - Consumers have the right to delete their personal data. This right applies whether the company received data from the consumer directly or it came from a third-party, such as a data broker.

Right to data portability - Virginia residents may move their data between services. In order to support this right, businesses must, upon request, give an individual their data in an easily transmittable format. 

Right to opt out - Consumers may opt-out of personal data processing for targeted marketing purposes.

Right to appeal - Organizations under the VCDPA must create an appeals process that VA residents can use in the event their data request is denied or otherwise unfulfilled. 

Learn more about the VCDPA with our complete guide &#39;<a href="https://transcend.io/blog/cdpa-consumer-data-protection-act/">VCDPA: Preparing for 2023 enforcement</a>&#39;.

Virginia Consumer Data Protection Act

<a href="https://transcend.io/data-mapping/">Data mapping</a> is a process that helps organizations understand where their data is stored and how it&#39;s used. In the context of <a href="https://transcend.io/blog/privacy-law/">privacy law</a> compliance, it&#39;s an important tool that helps streamline the fulfillment of many regulatory requirements.

A comprehensive data map should: 

<ul>
<li>Reflect all silos and systems that contain personal data</li>
<li>Organize and classify the data points and relevant metadata within</li>
<li>Discover and track new data systems as they are connected</li>
</ul>

As an all-encompassing data inventory, data maps can be used to maintain data hygiene, identify other compliance needs beyond privacy, prepare appropriate security measures, and operationalize how data is stored and employed across an organization.

<h4>Additional resources</h4>

<ul>
<li> <a href="https://transcend.io/blog/gdpr-data-mapping/">The Complete Guide to GDPR Data Mapping</a></li>
<li> <a href="https://transcend.io/blog/data-mapping-basics/">Data Mapping Beginner&#39;s Guide</a></li>
<li> <a href="https://transcend.io/blog/ropa-process/">ROPA Process: Step by step guide</a></li>
</ul>

Data Mapping

In the context of privacy, consent refers to when a consumer knowingly gives a company permission to process their personal data. <a href="https://transcend.io/blog/cookie-consent-banner/">Cookie banners</a>, often a pop-up asking you to ‘Accept’ or ‘Reject’ tracking, is one of the most common examples of consent management. 

The General Data Protection Regulation <a href="https://transcend.io/gdpr-requirements-overview/">(GDPR)</a> and California Consumer Privacy Act <a href="https://transcend.io/blog/cpra-vs-ccpa/">(CCPA)</a> have different approaches to the concept of consent.

<h3>GDPR Consent</h3>

The GDPR was foundational in developing the modern data consent framework. Laying out clear requirements for consent in <a href="https://gdpr.eu/article-4-definitions/">Article 4</a>, the GDPR states consent must be “freely given, specific, informed, and unambiguous.”

<a href="https://gdpr.eu/article-7-how-to-get-consent-to-collect-personal-data/">GDPR Article 7</a> goes on to outline four conditions for valid consent.

<ul>
<li>There must be clear documentation that a user provided consent.</li>
<li>When requesting consent, the process and language must be straightword, easy to understand, and accessible. A <a href="https://transcend.io/consent/">consent management</a> process that’s difficult or confusing invalidates consent. </li>
<li>A consumer may withdraw consent at any point and the process for doing so must be easy.</li>
<li>Consent may not be tied to fulfilling a contract, unless data processing is necessary for completing specific contractual clauses.</li>
</ul>

Obtaining valid consent is taken very seriously under the GDPR, with some of the <a href="https://transcend.io/blog/gdpr-fines/">largest GDPR fines to date</a> being issued due to problems in a company’s consent management process. 

<h3>CCPA Cookie Consent</h3>

Under the CCPA, sites may place cookies without first obtaining consent. However, users must be able to opt out of cookie tracking at any point. This <a href="https://transcend.io/solution/targeted-advertising-privacy/">opt-out</a> consent regime is often seen in the form of a “Do not sell my information” link in a website’s footer menu. 

Though the <a href="https://transcend.io/blog/cpra-vs-ccpa/">CCPA and CPRA</a> don’t require cookie consent, many organizations under these laws still use cookie banners to minimize risk from third-party advertising.

Consent 

Authorized agents are organizations or individuals who can, under privacy laws like <a href="https://transcend.io/gdpr-requirements-overview/">GDPR</a> and <a href="https://transcend.io/blog/cpra-vs-ccpa/">CCPA</a>, fulfill certain data rights on behalf of a consumer. 

The CCPA <a href="https://casetext.com/regulation/california-code-of-regulations/title-11-law/division-1-attorney-general/chapter-20-california-consumer-privacy-act-regulations/article-1-general-provisions/section-999301-definitions">defines authorized agents</a> as:

<blockquote>
“a natural person or business entity registered with the Secretary of State [...] in California that a consumer has authorized to act on their behalf…”
</blockquote>

<a href="https://transcend.io/blog/authorized-agent-privacy-requests/">Authorized agents</a> are a byproduct of modern privacy laws, so what they can do on behalf of consumers differs slightly depending on the law. Most commonly though, they are used to submit <a href="https://transcend.io/glossary/data-subject-access-request/">data subject access requests</a>, sometimes known as <a href="https://transcend.io/privacy-requests/">privacy requests</a>.

In practice, this means consumers will give the authorized agent permission to reach out to any company they believe is processing their data, often through bulk email sends. 

Though largely unregulated in their methods, the GDPR does require that <a href="https://cpra.gtlaw.com/999-326-authorized-agent/">authorized agents</a>:

<ul>
<li>Take steps to ensure data security</li>
<li>Use data obtained during the privacy request only for fulfilling the request itself</li>
</ul>

For the most part, businesses under the CCPA must treat privacy requests from authorized agents the same way they would if it came directly from a consumer. However, they are permitted to request further identity verification in order to ensure the request&#39;s validity.

Authorized Agents

&#39;Do not sell’ refers to a <a href="https://transcend.io/glossary/california-consumer-privacy-act/">California Consumer Privacy Act</a> (CCPA) provision stating that consumers have the right—one organizations must honor—to tell a business not to sell their data for the purpose of <a href="https://transcend.io/solution/targeted-advertising-privacy/">targeted advertising</a>.

In short, if a business collects and sells personal information they must notify the consumer and provide an easy-to-find “Do not sell my personal information” link somewhere on their website. 

‘Do not share’ is a provision in the <a href="https://transcend.io/laws/cpra/">California Privacy Rights Act (CPRA)</a>, which amended the CCPA, that expands what types of data transfer are regulated by <a href="https://transcend.io/blog/cpra-vs-ccpa/">California’s privacy laws</a>. 

The <a href="https://transcend.io/laws/cpra/">CPRA defines sharing</a> as:

<blockquote>
“sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration”
</blockquote>

Put simply, if an organization discloses your personal data by any means to another organization, that counts as sharing–whether or not money was exchanged.

Do not sell/Do not share 

<a href="https://www.gdprsummary.com/schrems-ii/">Schrems II</a> was a legal decision handed down by the Court of Justice of the European Union (CJEU) in the case of Data Protection Commission vs. Facebook Ireland Limited. The decision invalidated <a href="https://www.privacyshield.gov/welcome">Privacy Shield</a>—an agreement between the US and EU that had been regulating trans-Atlantic data transfer. 

According to the <a href="https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf">judgment</a>, Facebook’s transfer of personal data from Ireland to the US posed a significant security risk in that, once in the US, the data could potentially be accessed by US intelligence agencies. According to Max Schrems, the plaintiff in this lawsuit, this access would represent a violation of the <a href="https://transcend.io/gdpr-requirements-overview/">General Data Protection Regulation (GDPR)</a>. 

The GDPR requires that any data transferred out of the EU must be protected by reasonable security measures–if that’s not possible, the transfer is prohibited. 

Since the Schrems II decision, the US and EU have continued discussions to form an adequate replacement for Privacy Shield, but it’s been difficult to reach consensus. In March 2022, the US and EU <a href="https://www.natlawreview.com/article/united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework">announced</a> an ”agreement in principle,” but did not disclose any specifics. 

Privacy experts expect this new agreement, unless it makes significant changes to the Privacy Shield model, will likely meet further legal challenges.

Schrems II

The newly released <a href="https://www.caprivacy.org/cpra-text/#section7">CPRA draft regulations</a> define dark patterns as: 

<blockquote>
“A user interface that is designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.“
</blockquote>

Commonly seen as a tactic to compel <a href="https://transcend.io/blog/cookie-consent-banner/">cookie consent</a>, dark patterns can take a variety of forms: 

<ul>
<li><a href="https://noyb.eu/en/more-cookie-banners-go-second-wave-complaints-underway">Only providing an ‘Accept’ button</a> on a cookie consent banner</li>
<li>Forcing users to click through multiple screens to reject cookies, while allowing them to accept with a single click</li>
<li>User interface language that <a href="https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive">encourages teens to lie about their age</a> in order to sign up for an app</li>
<li>An unsubscribe button that’s purposefully difficult to find or see (buried in a paragraph of text and/or using a low-contrast text color)</li>
<li>Not providing a button to close an account and/or forcing users to call a company representative</li>
</ul>

According to Harry Brignull, a UX specialist, <a href="https://www.wired.com/story/how-to-spot-avoid-dark-patterns/">dark patterns</a> are “the ways in which software can subtly trick users into doing things they didn’t mean to do, or discouraging behavior that’s bad for the company.”

Dark patterns exist on a spectrum in terms of malicious intent. Staying subscribed to a newsletter you signed up for but no longer enjoy is one end, while accidentally allowing a company to collect, store, and sell your personal data is on the other.

Additional resources about dark patterns
* <a href="https://transcend.io/blog/dark-patterns-cpra/">Demystifying dark patterns: A practical primer for CPRA compliance</a>
* <a href="https://www.wired.com/story/how-to-spot-avoid-dark-patterns/">How to Spot - and Avoid - Dark Patterns on the Web</a>
* <a href="https://www.vox.com/recode/22351108/dark-patterns-ui-web-design-privacy">How dark patterns in web design trick you into saying yes</a>
* <a href="https://www.deceptive.design/">Deceptive.design</a>

Dark Patterns

<a href="https://transcend.io/blog/cookie-consent-banner/">Cookies</a> are small text files placed in your browser by the websites you visit. They store data about the site and about you, including your location, preferences, and what you did while on the site.

Cookies can play an important role in how well a website functions, like remembering login information or what’s in a user’s cart. These are the “strictly necessary” cookies you sometimes see in cookie <a href="https://transcend.io/consent/">consent banners</a>.

However, as cookies share information about past searches, they’re frequently used to inform targeted advertising campaigns, and the data they collect can be packaged and sold to whomever has the budget.

Learn more about <a href="https://transcend.io/blog/cookie-consent-banner/">cookie consent</a>.

Tracking Cookies

Pseudonymization is the process of replacing personally identifiable fields within a data record with one or more artificial identifiers or pseudonyms. Commonly used to protect the privacy of personal data, pseudonymization can help support <a href="https://transcend.io/blog/privacy-law/">privacy law</a> compliance efforts.

Pseudonymization is often used as an enhancement to data anonymization techniques. However, while anonymized data cannot be traced back to its original source, pseudonymized data can be de-pseudonymized if the key that links the pseudonym to the original data is compromised.

Thus, pseudonymization is not a method of anonymization, but it can help protect privacy when anonymization isn&#39;t possible. 

As the <a href="https://transcend.io/gdpr-requirements-overview/">GDPR</a> has strict requirements for data security and confidentiality, pseudonymization is often used to prevent unauthorized or illegal processing, as well as accidental data loss.

Pseudonymization

The <a href="https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf">Health Insurance Portability and Accountability Act (HIPPA)</a> is a U.S. federal law that requires medical practices to protect the privacy of your health information. 

The HIPAA Privacy Rule protects all &quot;individually identifiable health information&quot; an organization holds or transmits, no matter the format.

Concurrently, the HIPAA Security Rule outlines specific administrative, physical, and technical safeguards an organization must implement to protect the integrity, confidentiality, and availability of health information.

HIPAA established privacy standards that protect patients’ medical records, as well as health information provided to insurance plans, doctors, hospitals, and other healthcare providers.

HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. It also established national standards for electronic health care transactions, plus national identifiers for providers, health insurance plans, and employers.

The <a href="http://www.hhs.gov">Department of Health and Human Services (HHS)</a> provides guidance and detailed information about HIPAA rules, regulations, and compliance.

HIPAA

The <a href="https://www.govinfo.gov/content/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf">Gramm-Leach-Bliley Act (GLBA)</a>, also known as the Financial Services Modernization Act of 1999, is a U.S. federal law that controls how financial institutions deal with private information from individuals. 

This act protects the personal financial information held by banks, mortgage companies, securities firms, and insurance companies.

To protect consumer privacy, the GLBA requires that financial institutions disclose their information-sharing practices and provide safeguards for sensitive data.

Many <a href="https://transcend.io/blog/infographic-us-state-privacy-law-tracker/">state privacy laws in the US</a> offer exemptions to organizations and data types already governed by the GLBA.

Gramm-Leach-Bliley Act

The <a href="https://transcend.io/gdpr-requirements-overview/">General Data Protection Regulation (GDPR)</a> grants EU citizens certain data rights—creating options for controlling personal data and offering recourse if data is processed unlawfully. 

<h3>Right to be informed</h3>

Users have the right to know when and where their data is being collected, how it will be used, whether it will be shared with third parties, and how long it will be stored. Organizations must provide this information openly and in plain language.

<h3>Right of access</h3>

Data subjects have the right to request access to any personal data that an organization may hold. Once the request is received, organizations must respond within 30 days.

<h3>Right to rectification</h3>

Data subjects can request corrections to their personal data if they discover it&#39;s inaccurate or incomplete. 

<h3>Right to be forgotten</h3>

EU citizens may request that an organization delete their personal data, which is why the right to be forgotten is sometimes referred to as the right to erasure. Data controllers may refuse erasure requests, but only if there’s a legitimate reason to keep the data, such as an open line of credit.

<h3>Right to restrict processes</h3>

Data subjects can request limitations or changes to the way their personal data is processed by an organization. 

<h3>Right to data portability</h3>

EU citizens must be able to easily move personal data between services, which means data controllers must be able to give users their data in an easily transmittable format.

<h3>Right to object</h3>

Users can challenge an organization’s purpose of processing, in which case the organization must make a good case for why their purposes are legitimate.

<h3>Rights in relation to automated decision-making</h3>

Data subjects can ask for a review of decisions made through automated processes. 

Additional resources
* <a href="https://transcend.io/gdpr-requirements-overview/">The Complete Guide to the GDPR</a>
* <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/">ICO Guide - Individual rights</a>

GDPR Rights

The <a href="https://transcend.io/gdpr-requirements-overview/">General Data Protection Regulation (GDPR)</a> gives EU citizens and residents more control over their data—implementing data rights and increasing oversight for organizations processing personal data.

A complex piece of legislation with 99 articles that cover everything from the definition of <a href="https://transcend.io/consent/">consent</a> to rules on data portability, the GDPR has seven unifying <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/#the_principles">principles</a>.

<h3>Lawfulness, Fairness, and Transparency</h3>

Data processing must be done “lawfully, fairly, and transparently”—meaning <a href="https://transcend.io/glossary/data-controller/">data controllers</a> need to identify and document at least one lawful basis for any personal data processing. They must also provide detailed information about their data processing in an easily accessible format that uses clear language.

<h3>Purpose Limitation</h3>

Purpose of processing should be determined at the time of collection and any subsequent use should be limited to that purpose. 

If it becomes necessary to use the data for another purpose, this should only occur if the new purpose is compatible with the original one. Data collected for one purpose may not be used for another purpose without consent from the individual, unless it’s otherwise permitted by law.

<h3>Data Minimization</h3>

Data minimization requires that companies only collect the information they need to complete a specific task. 

Under this principle, the personal data you collect should be limited and relevant to what’s strictly necessary. In other words, if you don&#39;t need all of it, don&#39;t keep all of it!

By minimizing the amount of personal data collected, controllers can also reduce data security risk and further protect individuals&#39; rights.

<h3>Storage Limitation</h3>

Data controllers must ensure personal data is stored in a format that allows for data subject identification only as long as is strictly necessary. 

Personal data may be stored for longer periods only if it&#39;s used for archival purposes, historical or scientific research, or statistical analysis—all of which are still subject to the relevant safeguards required by GDPR. 

<h3>Accuracy</h3>

Data controllers must ensure personal data is accurate and up-to-date. If the data is found to be inaccurate, the data controller must correct or erase the data.

<h3>Integrity and Confidentiality</h3>

Data controllers must protect personal data using security measures appropriate for the context. These measures must work to prevent data loss, destruction, and unauthorized or illegal processing.

GDPR Principles

Processing personal data is the primary trigger for most <a href="https://transcend.io/gdpr-requirements-overview/">GDPR requirements</a>, so it’s important organizations understand how personal data is defined.

According to <a href="https://gdpr.eu/article-4-definitions/">Article 4</a> personal data is: 

<blockquote>
“any information which are related to an identified or identifiable natural person.” 
</blockquote>

This definition is quite broad, purposefully so, and examples include: 

<ul>
<li>Numbers associated with a person:

<ul>
<li>Telephone</li>
<li>Driver’s license</li>
<li>Credit card</li>
<li>License plate</li>
<li>Bank account</li>
<li>Social security</li>
<li>Physical address</li>
<li>IP address</li>
</ul></li>
<li>Documentation of working hours or work performance</li>
<li>Utility records (water, electric, sewage) </li>
<li>Biometric data like fingerprints, height, weight, or hair color</li>
<li>Location data</li>
</ul>

Personal data can be direct identifiers, like someone’s name, or indirect identifiers such as physical characteristics. Essentially, personal data is any information that, used independently or in tandem with other data, could identify an individual. 

Learn more about how the <a href="https://gdpr.eu/eu-gdpr-personal-data/">GDPR defines personal data</a>.

GDPR Personal Data

<a href="https://allaboutdnt.com/">Do Not Track (DNT)</a> is a browser setting that tells websites not to place cookies. It has two components: a signal that lets users say they don’t want to be tracked and guidelines for how organizations should respond.

DNT was intended to shield users from online tracking and minimize targeted advertising. Unfortunately, as it lacks a mechanism for enforcement, the setting was never able to effectively limit browser tracking. 

Ultimately, DNT is only a request, one that’s not supported by any major privacy legislation. Companies aren’t compelled to stop tracking a user’s online movements after receiving a DNT signal, so many just ignore it.

Despite its shortcomings, DNT is still supported by Mozilla Firefox, Microsoft Edge, and Google Chrome—though not Apple Safari.

Do Not Track

Data subject access requests (DSAR) are when a consumer or individual asks to see what personal data a company or organization has collected about them. 

Another common variation of this term is data subject request (DSR), which has a broader scope—referring to requests for access, correction, or deletion. 

DSAR are a byproduct of modern privacy laws like the <a href="https://transcend.io/gdpr-requirements-overview/">General Data Protection Regulation</a> (GDPR) and <a href="https://transcend.io/blog/infographic-us-state-privacy-law-tracker/">US state privacy laws</a>, all of which give consumers the ‘right to access.’

Right to access means consumers have the right to know what personal data a company has, how the data is being collected or used, how long it’s being stored—or any combination of the three. 

After receiving a DSAR, organizations have either 30 or 60 days to respond (depending on the law), and the data must be sent to the consumer in a format that’s easy to read and transmit.

Data Subject Access Request

<a href="https://gdpr.eu/article-4-definitions/">GDPR Article 4</a> defines data subjects as “an identified or identifiable natural person.” 

By this definition, data subjects are just people. In this context, people about whom your organization collects and processes data, and who have specific data rights and protections. 

But what qualifies someone as a data subject under the GDPR? 

That part is a little tricky. Several different qualifiers appear throughout the GDPR text—ranging from being an EU citizen to having personal data physically located in the EU. 

Here’s a more detailed review of <a href="https://kirkpatrickprice.com/blog/what-is-gdpr-personal-data-and-who-is-a-gdpr-data-subject/">how data subjects are qualified</a>, including recommendations for how to shore up your compliance stance.

Data Subject

Often a third party, data processors enact the decisions made by data controllers. <a href="https://gdpr.eu/article-4-definitions/">Article 4</a> defines processors as: 

<blockquote>
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
</blockquote>

As they don’t dictate the nature of processing, data processors hold less responsibility compared to <a href="https://transcend.io/glossary/data-controller/">data controllers</a>. However, they are still held to a fairly strict set of guidelines, outlined by <a href="https://gdpr.eu/article-28-processor/">GDPR Article 28</a>. 

Though not an exhaustive list, these guidelines dictate that:

<ul>
<li>Processors must cultivate a technical and organizational environment that ensures compliant processing.</li>
<li>Processors may not contract their work to another processor unless the data controller explicitly agrees. If there are to be any changes to the processing agreement, the processor must inform the controller—giving them a chance to object. </li>
<li>Processing may only occur under contract with a controller. The contract must outline the nature, duration, and purpose of processing, as well as the types of data and data categories that will be processed.</li>
</ul>

For a full list of data processor requirements, check out <a href="https://gdpr.eu/article-28-processor/">Article 28</a>. 

<h4>Further reading</h4>

<ul>
<li><a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/what-are-controllers-and-processors/">What are ‘controllers’ and ‘processors’?</a></li>
<li><a href="https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en">What is a data controller or a data processor?</a></li>
<li><a href="https://transcend.io/gdpr-requirements-overview/">The Complete Guide to the GDPR</a></li>
</ul>

Data Processor

Data controllers decide how personal data will be processed by their organization. <a href="https://gdpr.eu/article-4-definitions/">GDPR Article 4</a> defines data controllers as:

<blockquote>
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
</blockquote>

According to <a href="https://gdpr.eu/article-24-responsibility-of-the-data-controller/">Article 24</a>, data controllers must: 

<ul>
<li>Consider the “nature, scope, context and purposes of [data] processing”</li>
<li>Evaluate the likelihood and severity of potential risks</li>
<li>Ensure data processing is compliant with GDPR rules, putting in place the necessary technical and organizational frameworks to do so</li>
<li>Implement data protection measures when necessary</li>
<li>Be ready and able to demonstrate compliance</li>
</ul>

The GDPR places greater responsibility on data controllers, as their decisions determine whether an organization&#39;s data processing is compliant. 

For more information, check out the Information Commissioner’s Guide on the <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/what-are-controllers-and-processors/">difference between data controllers and data processors</a>.

Data Controller

<a href="https://gdpr.eu/article-9-processing-special-categories-of-personal-data-prohibited/">GDPR Article 9</a> prohibits data controllers from processing “special categories of personal data.”

These categories include information that could reveal a data subject’s: 

<ul>
<li>Religious beliefs</li>
<li>Political opinions</li>
<li>Ethnic origins</li>
<li>Trade union memberships</li>
<li>Sexual orientation</li>
</ul>

Article 9 also bans processing of biometric data that could be used identify an individual, their health conditions, or information about their sex life. 

There are quite few exemptions to Article 9, including if: 

<ul>
<li>A data subject provided consent for processing</li>
<li>Processing protects the subject’s vital interests (keeps them alive)</li>
<li>The data has already been made public by the <a href="https://transcend.io/glossary/data-subject/">data subject</a></li>
</ul>

A full list of <a href="https://gdpr.eu/article-9-processing-special-categories-of-personal-data-prohibited/">Article 9 exemptions</a> is available <a href="https://gdpr.eu/article-9-processing-special-categories-of-personal-data-prohibited/">here</a>.

Article 9

The GDPR requires that data controllers and processors establish and document a lawful basis before processing any personal data. <a href="https://gdpr.eu/article-6-how-to-process-personal-data-legally/">Article 6</a> outlines the six scenarios for lawful data processing:

Consent - The data subject consents knowingly and unambiguously.

Contract - Data processing is necessary for fulfilling or entering into an agreed-upon contract.

Legal obligation - A data controller’s legal obligations require it.

Vital interests - Data processing will protect an interest “which is essential for the life of the data subject.” 

Public interest - Data processing is required for a task that is legal and completed in the “public interest.” 

Legitimate interest - The data controller can offer a “legitimate interest” that doesn’t breach a user’s “fundamental rights and freedoms”

The unifying theme between all the lawful processing scenarios is that they are tied to a specific reason or purpose. According to the Information Commissioner’s Office: 

<blockquote>
No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
</blockquote>

It’s important to note that lawful basis must be identified and documented (internally and in your public privacy policy) before data processing starts. Be mindful during this process—once you establish one lawful basis, it’s not recommended (and potentially not legal) to switch to a different one in the future.

It’s also important to note that documenting lawful basis does not give an organization data processing carte blanche, meaning it can’t be used to justify data processing that doesn’t actually need to happen. If the same purpose can easily be achieved without data processing, lawful basis doesn’t apply.

Article 6 

<a href="https://gdpr.eu/article-30-records-of-processing-activities/">GDPR Article 30</a> states that data controllers and processors must create and maintain records of data processing activities (ROPA). 

While most companies processing data from EU citizens must create ROPA, there are a few exceptions. ROPA are not required if a company’s data processing is:

<ul>
<li>Only “occasional” </li>
<li>Unrelated to a criminal offense</li>
<li>Doesn’t threaten a data subject&#39;s freedoms or rights</li>
<li>The company has less than 250 employees </li>
</ul>

These exceptions leave a fairly narrow group of organizations who are actually exempt. Most organizations that process personal data are doing so more than occasionally. 

And, with no further explanation as to what “not occasional” means—in most cases it’s better to create the ROPA and ensure GDPR compliance. 

Complete ROPA must include: 

<ul>
<li>Name and contact details for the data controller</li>
<li>Documentation on why the data is being processed</li>
<li>Categories of personal data and data subjects</li>
<li>Categories of any recipients of the data</li>
<li>A list of personal data transfers to third countries or international entities</li>
<li>A time frame for data erasure</li>
<li>Details on how the data is being secured</li>
</ul>

<a href="https://transcend.io/blog/data-mapping-ropa/">Learn more about ROPA</a> and the practical application of Article 30.

Article 30

<a href="https://gdpr.eu/article-28-processor/">GDPR Article 28</a> outlines the relationship between <a href="https://transcend.io/glossary/data-controller/">data controllers</a> and <a href="https://transcend.io/glossary/data-processor/">data processors</a>—requiring a shared contract that defines how the processor will handle data provided by the controller. 

This contract must include language that limit how, when, and why data can be processed, including:

<ul>
<li>Data processors may only process personal data according to the instructions provided by the data controller.</li>
<li>Confidentiality agreements for data processor staff in regards to the data being processed.</li>
<li>All personal data must be deleted or returned to the data controller at the end of the data processor’s service term.</li>
<li>The data processor will help to ensure GDPR compliance.</li>
</ul>

In 2017, the Information Commissioner’s Office (ICO) published <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/">additional guidelines</a> for contracts between data controllers and data processors, stating they should include:

<ul>
<li>Subject matter of the data processing</li>
<li>Relevant timelines</li>
<li>Why and how the data is being processed</li>
<li>Types of data being processed</li>
<li>Categories of data being processed</li>
<li>The data controllers rights and obligations</li>
</ul>

The contract between data controllers and processors is binding and must protect a data subject&#39;s rights.

Article 28

Approved in 2018, the General Data Protection Law (LGPD) is Brazil&#39;s data privacy and protection law. Coming into force in August 2020, the LGPD was based on the GDPR, with certain changes that better suit Brazilian legislation. 

Applying to public and private organizations doing business in Brazil, the purpose of the LGPD is to protect the personal data of Brazilian citizens. 

Its unifying principle is that users can decide when and how an organization may use their personal data, meaning organizations must get permission from users before collecting data of any type.

The LGPD is enforced by the National Data Protection Authority (ANPD), which has the power to investigate potential violations, impose fines, create best practices, and issue guidelines.

Table of contents

Data Processor

Further reading

Sign up for Snippets

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.